0005139: AddressSanitizer: heap-use-after-free rts/Sim/Units/Scripts/UnitScript.cpp:249 CUnitScript::Tick(int) - MantisBT

2024-04-23 08:16 CEST

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

ID

Project

Category

View Status

Date Submitted

Last Update

0005139

Spring engine

General

public

2016-03-06 06:21

2016-03-06 16:56

Reporter

Google_Frog

Assigned To

Kloot

Priority

normal

Severity

crash

Reproducibility

always

Status

resolved

Resolution

fixed

Product Version

101.0+git

Target Version

102.0

Fixed in Version

Summary

0005139: AddressSanitizer: heap-use-after-free rts/Sim/Units/Scripts/UnitScript.cpp:249 CUnitScript::Tick(int)

Description

A game crashed for me as well as a player in the game. The other player did not have a crash.

This is the game: http://zero-k.info/Battles/Detail/403875

Shadowfury333 crashed, here is his infolog: http://pastebin.com/G5345SD6

It talks about updating his graphics card drivers but we think that is a false positive. My infolog is attached and has a crash on the same frame but does not talk about graphics card drivers.

The other player in the game has "intel integrated graphics (hd 2000)" which may have prevented him from doing the thing that caused the crash.

Tags

No tags attached.

Checked infolog.txt for Errors

Attached Files

101-62 crash.txt (44,265 bytes) 2016-03-06 06:21
101-62 crash.txt (44,265 bytes) 2016-03-06 06:21

Relationships

Relationships

Notes
~0015980 Kloot (developer) 2016-03-06 13:51	Both traces are garbage. Ran the demo twice, each time it crashed (at different times) -> classic memory corruption.

~0015981 abma (administrator) 2016-03-06 15:27	thats what i get: Thread 1 "unknown" received signal SIGSEGV, Segmentation fault. _int_malloc (av=av@entry=0x7ffff4063c00 <main_arena>, bytes=bytes@entry=3844) at malloc.c:3483 3483 malloc.c: Datei oder Verzeichnis nicht gefunden. (gdb) bt #0 _int_malloc (av=av@entry=0x7ffff4063c00 <main_arena>, bytes=bytes@entry=3844) at malloc.c:3483 #1 0x00007ffff3d235ce in __GI___libc_malloc (bytes=3844) at malloc.c:2895 #2 0x00007ffff4614e78 in operator new(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 0000003 0x0000000000a3a2a3 in __gnu_cxx::new_allocator<float>::allocate (this=<synthetischer Zeiger>, __n=961) at /usr/include/c++/5/ext/new_allocator.h:104 0000004 std::allocator_traits<std::allocator<float> >::allocate (__a=<synthetischer Zeiger>, __n=961) at /usr/include/c++/5/bits/alloc_traits.h:491 0000005 std::_Vector_base<float, std::allocator<float> >::_M_allocate (this=<synthetischer Zeiger>, __n=961) at /usr/include/c++/5/bits/stl_vector.h:170 #6 std::_Vector_base<float, std::allocator<float> >::_M_create_storage (__n=961, this=<synthetischer Zeiger>) at /usr/include/c++/5/bits/stl_vector.h:185 #7 std::_Vector_base<float, std::allocator<float> >::_Vector_base (__a=..., __n=961, this=<synthetischer Zeiger>) at /usr/include/c++/5/bits/stl_vector.h:136 #8 std::vector<float, std::allocator<float> >::vector (__a=..., __value=<optimized out>, __n=961, this=<synthetischer Zeiger>) at /usr/include/c++/5/bits/stl_vector.h:291 #9 CLosMap::UnsafeLosAdd (this=0x81078b8, li=li@entry=0x47467e0) at rts/Sim/Misc/LosMap.cpp:550 0000010 0x0000000000a3ba09 in CLosMap::LosAdd (this=<optimized out>, li=li@entry=0x47467e0) at rts/Sim/Misc/LosMap.cpp:482 #11 0x0000000000a3ba39 in CLosMap::PrepareRaycast (this=<optimized out>, instance=0x47467e0) at rts/Sim/Misc/LosMap.cpp:452 0000012 0x000000000069e417 in std::function<void (int)>::operator()(int) const (__args#0=0, this=0x27681828) at /usr/include/c++/5/functional:2267 0000013 std::_Bind<std::function<void (int)> (int)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) (__args=<optimized out>, this=0x27681828) at /usr/include/c++/5/functional:1074 0000014 std::_Bind<std::function<void (int)> (int)>::operator()<, void>() (this=0x27681828) at /usr/include/c++/5/functional:1133 #15 boost::detail::task_shared_state<std::_Bind<std::function<void (int)> (int)>, void>::do_run() (this=0x27681710) at /usr/include/boost/thread/future.hpp:2917 #16 0x00000000006998ff in boost::detail::task_base_shared_state<void>::run (this=0x27681710) at /usr/include/boost/thread/future.hpp:2499 #17 boost::packaged_task<void>::operator() (this=<optimized out>) at /usr/include/boost/thread/future.hpp:3290 #18 TaskGroup<std::function<void (int)> const, int const>::enqueue(std::function<void (int)> const&, int const&)::{lambda()#1}::operator()() const (__closure=0x4f694a0) at rts/System/ThreadPool.h:186 #19 std::_Function_handler<void (), TaskGroup<std::function<void (int)> const, int const>::enqueue(std::function<void (int)> const&, int const&)::{lambda()#1}>::_M_invoke(std::_Any_data const&) (__functor=...) at /usr/include/c++/5/functional:1871 0000020 0x000000000085114a in std::function<void ()>::operator()() const (this=0x7fffffffcfe8) at /usr/include/c++/5/functional:2267 #21 ThreadPool::DoTask (tg=...) at rts/System/ThreadPool.cpp:145 #22 ThreadPool::WaitForFinished (taskgroup=warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<TaskGroup<std::function<void (int)> const, int const>, std::allocator<TaskGroup<std::function<void (int)> const, int const> >, (__gnu_cxx::_Lock_policy)2>' warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<TaskGroup<std::function<void (int)> const, int const>, std::allocator<TaskGroup<std::function<void (int)> const, int const> >, (__gnu_cxx::_Lock_policy)2>' std::shared_ptr (count 4, weak 0) 0x2d3ce640) at rts/System/ThreadPool.cpp:181 #23 0x0000000000a32ae2 in ThreadPool::WaitForFinished<TaskGroup<std::function<void (int)> const, int const> >(std::shared_ptr<TaskGroup<std::function<void (int)> const, int const> >) (taskgroup=...) at rts/System/ThreadPool.h:117 0000024 for_mt(int, <unknown type in /usr/local/bin/spring, CU 0x7b1b3b2, DIE 0x7ba57e9>, int, int) (end=1, f=f@entry=<unknown type in /usr/local/bin/spring, CU 0x7b1b3b2, DIE 0x7ba57e9>, step=1, start=0) at rts/System/ThreadPool.h:318 #25 0x0000000000a33574 in for_mt (f=<unknown type in /usr/local/bin/spring, CU 0x7b1b3b2, DIE 0x7ba2b9b>, end=<optimized out>, start=0) at rts/System/ThreadPool.h:324 0000026 ILosType::Update (this=this@entry=0x80f4830) at rts/Sim/Misc/LosHandler.cpp:502 0000027 0x0000000000a338f1 in CLosHandler::<lambda(int)>::operator() (idx=<optimized out>, __closure=<optimized out>) at rts/Sim/Misc/LosHandler.cpp:688 #28 std::_Function_handler<void(int), CLosHandler::Update()::<lambda(int)> >::_M_invoke(const std::_Any_data &, <unknown type in /usr/local/bin/spring, CU 0x7b1b3b2, DIE 0x7bf877f>) (__functor=..., __args#0=<optimized out>) at /usr/include/c++/5/functional:1871 0000029 0x000000000069e417 in std::function<void (int)>::operator()(int) const (__args#0=0, this=0x25cd0928) at /usr/include/c++/5/functional:2267 #30 std::_Bind<std::function<void (int)> (int)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) (__args=<optimized out>, this=0x25cd0928) at /usr/include/c++/5/functional:1074 #31 std::_Bind<std::function<void (int)> (int)>::operator()<, void>() (this=0x25cd0928) at /usr/include/c++/5/functional:1133 #32 boost::detail::task_shared_state<std::_Bind<std::function<void (int)> (int)>, void>::do_run() (this=0x25cd0810) at /usr/include/boost/thread/future.hpp:2917 #33 0x00000000006998ff in boost::detail::task_base_shared_state<void>::run (this=0x25cd0810) at /usr/include/boost/thread/future.hpp:2499 0000034 boost::packaged_task<void>::operator() (this=<optimized out>) at /usr/include/boost/thread/future.hpp:3290 0000035 TaskGroup<std::function<void (int)> const, int const>::enqueue(std::function<void (int)> const&, int const&)::{lambda()#1}::operator()() const (__closure=0x183e6f10) at rts/System/ThreadPool.h:186 #36 std::_Function_handler<void (), TaskGroup<std::function<void (int)> const, int const>::enqueue(std::function<void (int)> const&, int const&)::{lambda()#1}>::_M_invoke(std::_Any_data const&) (__functor=...) at /usr/include/c++/5/functional:1871 #37 0x000000000085114a in std::function<void ()>::operator()() const (this=0x7fffffffd3d8) at /usr/include/c++/5/functional:2267 #38 ThreadPool::DoTask (tg=...) at rts/System/ThreadPool.cpp:145 0000039 ThreadPool::WaitForFinished (taskgroup=warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<TaskGroup<std::function<void (int)> const, int const>, std::allocator<TaskGroup<std::function<void (int)> const, int const> >, (__gnu_cxx::_Lock_policy)2>' warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<TaskGroup<std::function<void (int)> const, int const>, std::allocator<TaskGroup<std::function<void (int)> const, int const> >, (__gnu_cxx::_Lock_policy)2>' std::shared_ptr (count 4, weak 0) 0x2a0bb250) at rts/System/ThreadPool.cpp:181 #40 0x0000000000a32ae2 in ThreadPool::WaitForFinished<TaskGroup<std::function<void (int)> const, int const> >(std::shared_ptr<TaskGroup<std::function<void (int)> const, int const> >) (taskgroup=...) at rts/System/ThreadPool.h:117 #41 for_mt(int, <unknown type in /usr/local/bin/spring, CU 0x7b1b3b2, DIE 0x7ba57e9>, int, int) (end=7, f=f@entry=<unknown type in /usr/local/bin/spring, CU 0x7b1b3b2, DIE 0x7ba57e9>, step=1, start=0) at rts/System/ThreadPool.h:318 0000042 0x0000000000a32c7a in for_mt (f=<unknown type in /usr/local/bin/spring, CU 0x7b1b3b2, DIE 0x7ba2b9b>, end=<optimized out>, start=0) at rts/System/ThreadPool.h:324 0000043 CLosHandler::Update (this=0x80f46d0) at rts/Sim/Misc/LosHandler.cpp:689 0000044 0x00000000004b0a0d in CGame::SimFrame (this=this@entry=0x15954f0) at rts/Game/Game.cpp:1466 0000045 0x00000000005a5c4a in CGame::ClientReadNet (this=this@entry=0x15954f0) at rts/Net/NetCommands.cpp:511 0000046 0x00000000004b8699 in CGame::Update (this=0x15954f0) at rts/Game/Game.cpp:967 0000047 0x000000000083a5b8 in SpringApp::Update (this=this@entry=0x7fffffffe080) at rts/System/SpringApp.cpp:967 ---Type <return> to continue, or q <return> to quit--- 0000048 0x000000000083ffb8 in SpringApp::Run (this=this@entry=0x7fffffffe080) at rts/System/SpringApp.cpp:1003 0000049 0x0000000000813234 in Run (argc=argc@entry=2, argv=argv@entry=0x7fffffffe3d8) at rts/System/Main.cpp:48 0000050 0x0000000000468b24 in main (argc=2, argv=0x7fffffffe3d8) at rts/System/Main.cpp:107 also there are a ton of errors like GL_INVALID_OPERATION in glUniformMatrix(program not linked)

~0015982 abma (administrator) 2016-03-06 15:28	oh, and the second run: #0 luaH_getnum (t=t@entry=0x180ac780, key=<optimized out>) at rts/lib/lua/src/ltable.cpp:444 #1 0x00000000009238b8 in luaH_getnum (key=<optimized out>, t=0x180ac780) at rts/lib/lua/src/ltable.cpp:438 #2 unbound_search (j=<optimized out>, t=0x180ac780) at rts/lib/lua/src/ltable.cpp:537 0000003 luaH_getn (t=0x180ac780) at rts/lib/lua/src/ltable.cpp:576 0000004 0x0000000000926a67 in luaV_execute (L=L@entry=0xe1ecf90, nexeccalls=2, nexeccalls@entry=1) at rts/lib/lua/src/lvm.cpp:540 0000005 0x0000000000917fbd in luaD_call (L=0xe1ecf90, func=0xe442440, nResults=<optimized out>) at rts/lib/lua/src/ldo.cpp:378 #6 0x000000000091738a in luaD_rawrunprotected (L=L@entry=0xe1ecf90, f=f@entry=0x910030 <f_call(lua_State, void)>, ud=ud@entry=0x7fffffffd2b0) at rts/lib/lua/src/ldo.cpp:116 #7 0x000000000091815b in luaD_pcall (L=L@entry=0xe1ecf90, func=func@entry=0x910030 <f_call(lua_State, void)>, u=u@entry=0x7fffffffd2b0, old_top=16, ef=<optimized out>) at rts/lib/lua/src/ldo.cpp:464 #8 0x0000000000911829 in lua_pcall (L=L@entry=0xe1ecf90, nargs=nargs@entry=2, nresults=nresults@entry=0, errfunc=errfunc@entry=0) at rts/lib/lua/src/lapi.cpp:833 #9 0x00000000005c781c in CLuaHandle::ScopedLuaCall::ScopedLuaCall (_popErrFunc=<optimized out>, _errFuncIdx=0, _nOutArgs=0, _nInArgs=2, func=<optimized out>, state=0xe1ecf90, handle=<optimized out>, this=<synthetischer Zeiger>) at rts/Lua/LuaHandle.cpp:302 0000010 CLuaHandle::RunCallInTraceback (this=0xdf10a58, L=0xe1ecf90, hs=hs@entry=0x0, inArgs=inArgs@entry=2, outArgs=outArgs@entry=0, errFuncIndex=errFuncIndex@entry=0, tracebackMsg="", popErrorFunc=false) at rts/Lua/LuaHandle.cpp:373 #11 0x0000000000b1e2d1 in CLuaHandle::RunCallIn (errorMsg="", outArgs=0, inArgs=<optimized out>, L=<optimized out>, this=<optimized out>) at rts/Lua/LuaHandle.h:352 0000012 CLuaUnitScript::RawRunCallIn (this=this@entry=0xe30f2d0, functionId=84, inArgs=inArgs@entry=2, outArgs=outArgs@entry=0) at rts/Sim/Units/Scripts/LuaUnitScript.cpp:855 0000013 0x0000000000b1e674 in CLuaUnitScript::RunCallIn (outArgs=0, inArgs=2, id=26, this=0xe30f2d0) at rts/Sim/Units/Scripts/LuaUnitScript.cpp:410 0000014 CLuaUnitScript::Call (this=0xe30f2d0, fn=26, arg1=6, arg2=1) at rts/Sim/Units/Scripts/LuaUnitScript.cpp:500 #15 0x0000000000b26295 in CUnitScript::Tick (this=0xe30f2d0, deltaTime=deltaTime@entry=33) at rts/Sim/Units/Scripts/UnitScript.cpp:247 #16 0x0000000000b27207 in CUnitScriptEngine::Tick (this=0x7efd340, deltaTime=deltaTime@entry=33) at rts/Sim/Units/Scripts/UnitScriptEngine.cpp:94 #17 0x00000000004b09f3 in CGame::SimFrame (this=this@entry=0x1595500) at rts/Game/Game.cpp:1464 #18 0x00000000005a5c4a in CGame::ClientReadNet (this=this@entry=0x1595500) at rts/Net/NetCommands.cpp:511 #19 0x00000000004b8699 in CGame::Update (this=0x1595500) at rts/Game/Game.cpp:967 0000020 0x000000000083a5b8 in SpringApp::Update (this=this@entry=0x7fffffffe080) at rts/System/SpringApp.cpp:967 #21 0x000000000083ffb8 in SpringApp::Run (this=this@entry=0x7fffffffe080) at rts/System/SpringApp.cpp:1003 #22 0x0000000000813234 in Run (argc=argc@entry=2, argv=argv@entry=0x7fffffffe3d8) at rts/System/Main.cpp:48 #23 0x0000000000468b24 in main (argc=2, argv=0x7fffffffe3d8) at rts/System/Main.cpp:107

~0015983 abma (administrator) 2016-03-06 15:53	thats what address-sanitizer says: [f=0000031] !transmitlobby @voice@buildUnit@reload ================================================================= ==25127==ERROR: AddressSanitizer: heap-use-after-free on address 0x611001bd9f1c at pc 0x0000011ec68c bp 0x7ffef99442f0 sp 0x7ffef99442e0 WRITE of size 28 at 0x611001bd9f1c thread T0 (unknown) #0 0x11ec68b in CUnitScript::Tick(int) rts/Sim/Units/Scripts/UnitScript.cpp:249 #1 0x11eeddd in CUnitScriptEngine::Tick(int) rts/Sim/Units/Scripts/UnitScriptEngine.cpp:94 #2 0x527319 in CGame::SimFrame() rts/Game/Game.cpp:1464 0000003 0x76ec28 in CGame::ClientReadNet() rts/Net/NetCommands.cpp:511 0000004 0x53918c in CGame::Update() rts/Game/Game.cpp:967 0000005 0xd59fee in SpringApp::Update() rts/System/SpringApp.cpp:967 #6 0xd642ef in SpringApp::Run() rts/System/SpringApp.cpp:1003 #7 0xcfa546 in Run(int, char*) rts/System/Main.cpp:48 #8 0x7fbf9ebd89ff in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x209ff) #9 0x4cf748 in _start (/usr/local/bin/spring-headless+0x4cf748) 0x611001bd9f1c is located 28 bytes inside of 224-byte region [0x611001bd9f00,0x611001bd9fe0) freed by thread T0 (unknown) here: #0 0x7fbfa1499a0a in operator delete(void) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99a0a) #1 0xc28304 in __gnu_cxx::new_allocator<CUnitScript::AnimInfo>::deallocate(CUnitScript::AnimInfo, unsigned long) /usr/include/c++/5/ext/new_allocator.h:110 #2 0xc28304 in std::allocator_traits<std::allocator<CUnitScript::AnimInfo> >::deallocate(std::allocator<CUnitScript::AnimInfo>&, CUnitScript::AnimInfo, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:517 0000003 0xc28304 in std::_Vector_base<CUnitScript::AnimInfo, std::allocator<CUnitScript::AnimInfo> >::_M_deallocate(CUnitScript::AnimInfo, unsigned long) /usr/include/c++/5/bits/stl_vector.h:178 0000004 0xc28304 in void std::vector<CUnitScript::AnimInfo, std::allocator<CUnitScript::AnimInfo> >::_M_emplace_back_aux<>() /usr/include/c++/5/bits/vector.tcc:438 previously allocated by thread T0 (unknown) here: #0 0x7fbfa1499412 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99412) #1 0xc2822d in __gnu_cxx::new_allocator<CUnitScript::AnimInfo>::allocate(unsigned long, void const) /usr/include/c++/5/ext/new_allocator.h:104 #2 0xc2822d in std::allocator_traits<std::allocator<CUnitScript::AnimInfo> >::allocate(std::allocator<CUnitScript::AnimInfo>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491 0000003 0xc2822d in std::_Vector_base<CUnitScript::AnimInfo, std::allocator<CUnitScript::AnimInfo> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170 0000004 0xc2822d in void std::vector<CUnitScript::AnimInfo, std::allocator<CUnitScript::AnimInfo> >::_M_emplace_back_aux<>() /usr/include/c++/5/bits/vector.tcc:412 SUMMARY: AddressSanitizer: heap-use-after-free rts/Sim/Units/Scripts/UnitScript.cpp:249 CUnitScript::Tick(int) Shadow bytes around the buggy address: 0x0c2280373390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c22803733a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c22803733b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c22803733c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c22803733d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c22803733e0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22803733f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c2280373400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2280373410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2280373420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2280373430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==25127==ABORTING

~0015987 abma (administrator) 2016-03-06 16:56	i assume its fixed by https://github.com/spring/spring/commit/f2edf4c72bc4d36baf9b5df3d8516f54e1bd8581 ?!

Notes

Date Modified	Username	Field	Change
Issue History
2016-03-06 06:21	Google_Frog	New Issue
2016-03-06 06:21	Google_Frog	File Added: 101-62 crash.txt
2016-03-06 13:51	Kloot	Note Added: 0015980
2016-03-06 15:27	abma	Note Added: 0015981
2016-03-06 15:28	abma	Note Added: 0015982
2016-03-06 15:53	abma	Note Added: 0015983
2016-03-06 15:56	abma	Target Version	=> 102.0
2016-03-06 15:57	abma	Summary	101.0-62 Crash => AddressSanitizer: heap-use-after-free rts/Sim/Units/Scripts/UnitScript.cpp:249 CUnitScript::Tick(int)
2016-03-06 16:13	abma	Assigned To	=> hokomoko
2016-03-06 16:13	abma	Status	new => assigned
2016-03-06 16:56	abma	Note Added: 0015987
2016-03-06 16:56	abma	Status	assigned => resolved
2016-03-06 16:56	abma	Resolution	open => fixed
2016-03-06 16:56	abma	Assigned To	hokomoko => Kloot

Issue History